Collect Sophos Capsule8 logs

Supported in:

Google secops SIEM

This document explains how to ingest Sophos Capsule8 (Linux Sensor) logs to Google Security Operations using the Bindplane agent. Sophos Linux Sensor (formerly Capsule8) provides runtime protection for Linux workloads, containers, and Kubernetes environments by detecting and responding to threats at the kernel level using eBPF technology. Alerts and telemetry data are sent to Sophos Central, where they can be exported to a SIEM using the Sophos Central SIEM Integration script.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
An additional Windows, Linux, or macOS machine capable of continuously running Python 3.7 or later
Network connectivity between the Bindplane agent and the machine running the Sophos SIEM integration script
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the Sophos Central Admin console
Sophos Linux Sensor (Capsule8) deployed on your Linux systems
Sophos Linux Sensor version 5.5.2.22 or later
One of the following Sophos Central licenses:
- Intercept X Advanced for Server with XDR
- Central Managed Detection and Response Essential Server
- Central Managed Detection and Response Complete Server

Configure Sophos Linux Sensor to export alerts to Sophos Central

Before configuring the SIEM integration, you must first configure Sophos Linux Sensor to send alert data to Sophos Central.

Find your Sophos Central MCS URL

Sign in to Sophos Central.
Click your account name, and then click Support settings.
Look for the line that starts with This account is located into identify your geographical region.

Use the following table to find your MCS URL based on your region:

Region	MCS URL
United States (Oregon)	`mcs2-cloudstation-us-west-2.prod.hydra.sophos.com`
United States (Ohio)	`mcs2-cloudstation-us-east-2.prod.hydra.sophos.com`
Ireland	`mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com`
Germany	`mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com`
Canada	`mcs2.stn100yul.ctr.sophos.com`
Australia	`mcs2.stn100syd.ctr.sophos.com`
Asia Pacific (Tokyo)	`mcs2.stn100hnd.ctr.sophos.com`
South America (Sao Paulo)	`mcs2.stn100gru.ctr.sophos.com`

Configure Sophos Linux Sensor alert output

Open /etc/sophos/runtimedetections.yaml in a text editor on the Linux host where Sophos Linux Sensor is installed.

Add or update the following configuration, replacing the placeholder values with your actual Sophos Central details:

  send_labs_telemetry 
 : 
  
 true 
 endpoint_telemetry_enabled 
 : 
  
 true 
 cloud_meta 
 : 
  
 auto 
 # Set your Sophos Central tenant ID 
 customer_id 
 : 
  
 "{TENANT_ID}" 
 mcs 
 : 
  
 token 
 : 
  
 "{LINUX_REPO_API_KEY}" 
  
 url 
 : 
  
 "{MCS_URL}" 
  
 enabled 
 : 
  
 true

{TENANT_ID} : Your Sophos Central tenant ID.
{LINUX_REPO_API_KEY} : Your SLS package repository API token.
{MCS_URL} : The MCS URL for your region from the table above.

Save the file and exit.

Restart the Sophos Linux Sensor service:

 sudo  
systemctl  
restart  
sophoslinuxsensor

Configure Sophos Linux Sensor to send metaevents to Data Lake (optional)

Starting in version 5.11.0, Sophos Linux Sensor supports sending event data to the Sophos Data Lake for additional telemetry.

Open /etc/sophos/runtimedetections.yaml in a text editor.

Add the following configuration:

  investigations 
 : 
  
 reporting_interval 
 : 
  
 5s 
  
 zeromq 
 : 
  
 topics 
 : 
  
 - 
  
 process_events 
 : 
  
 running_processes_linux_events 
  
 audit_user_msg 
 : 
  
 user_events_linux 
  
 sinks 
 : 
  
 - 
  
 backend 
 : 
  
 mcs 
  
 name 
 : 
  
 "mcs" 
  
 type 
 : 
  
 mcs 
  
 flight_recorder 
 : 
  
 enabled 
 : 
  
 true 
  
 tables 
 : 
  
 - 
  
 name 
 : 
  
 "process_events" 
  
 enabled 
 : 
  
 true 
  
 rows 
 : 
  
 1000 
  
 filter 
 : 
  
 - 
  
 match eventType == "PROCESS_EVENT_TYPE_EXEC" 
  
 - 
  
 match eventType == "BASELINE_TASK" 
  
 - 
  
 default ignore 
  
 - 
  
 name 
 : 
  
 "audit_user_msg" 
  
 enabled 
 : 
  
 true 
  
 rows 
 : 
  
 1000 
  
 filter 
 : 
  
 - 
  
 ignore programName == "cron" 
  
 - 
  
 ignore processPid == 1 
  
 - 
  
 default match

Save the file and exit.

Restart the Sophos Linux Sensor service:

 sudo  
systemctl  
restart  
sophoslinuxsensor

Get Google SecOps Ingestion Authentication File

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Wait for the installation to complete.
Verify the installation by running:
```
 sc query observiq-otel-collector 
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
 sudo  
systemctl  
status  
observiq-otel-collector 
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide .

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

 sudo  
nano  
/etc/bindplane-agent/config.yaml

Windows:

 notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

  receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/sophos_capsule8 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'your-customer-id' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 SOPHOS_CAPSULE8 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
 service 
 : 
  
 pipelines 
 : 
  
 logs/sophos_capsule8_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/sophos_capsule8

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address : IP address and port to listen on. Use 0.0.0.0 to listen on all interfaces. Port 514 is the standard syslog port.
Exporter configuration:
- creds_file_path : Full path to the ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id : Google SecOps Customer ID.
- endpoint : Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list.

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O , then Enter , then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

Verify the service is running:

 sudo  
systemctl  
status  
observiq-otel-collector

Check logs for errors:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

To restart the Bindplane agent in Windows, choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```
- Services console:
  1. Press Win+R , type services.msc , and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
 sc query observiq-otel-collector 
```
  5. Check logs for errors:
```
  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
 
```

Configure Sophos Central API credentials

Sign in to Sophos Central Admin.
Go to Global Settings > API Credentials Management.
Click Add Credential.
Enter a name and an optional description for the credential, and then click Add.
Copy the Client IDand Client Secret. Store them securely.

Note: The client secret is only shown once. If you lose it, you must create a new credential.

Install and configure the Sophos Central SIEM Integration script

Install Python

Download and install Python 3.7 or later from the Python website .
On Windows, check the box Add Python to PATHduring installation.
Verify the installation by running:
```
 python3  
--version 
```

Download the Sophos Central SIEM Integration script

Download the latest release from the Sophos Central SIEM Integration GitHub Repository .
Extract the ZIP file to a directory on the machine where the script will run.

Configure the SIEM Integration script

In the extracted directory, copy config.ini.sample to config.ini .
Open config.ini in a text editor.
Under the [login] section, enter the API credentials:
- client_id : Enter the Client ID from Sophos Central.
- client_secret : Enter the Client Secret from Sophos Central.
Set the output format:
- format : Enter json .
Set the output destination to syslog:
- filename : Enter syslog .
Set the endpoint type:
- endpoint : Enter all to collect both events and alerts.
Configure the syslog properties:
- address : Enter the IP address and port of the Bindplane agent (for example, 192.168.1.100:514 ).
- facility : Enter daemon .
- socktype : Enter udp .
Save and close the file.

Note: For a complete list of configuration options, refer to the Sophos Central SIEM Integration README .

Run the SIEM Integration script

Open a terminal or command prompt and navigate to the script directory.
Run the script:
```
 python3  
siem.py 
```
Note: The script fetches the last 12 hours of events on its initial run. A maximum of 24 hours of historical data can be retrieved. On subsequent runs, the script picks up from where it left off using a state file.

Automate the SIEM Integration script

Windows (Task Scheduler)

Open Task Schedulerfrom the Start menu.
Click Create Task.
In the Generaltab:
- Name: Enter Sophos Capsule8 SIEM Export .
In the Triggerstab:
1. Click New.
2. Set the task to repeat every 5 minutesfor a duration of Indefinitely.
In the Actionstab:
1. Click Newand select Start a program.
2. In the Program/scriptfield, enter the path to python.exe .
3. In the Add argumentsfield, enter the full path to siem.py .
4. In the Start infield, enter the directory containing siem.py .
Click OKto save the task.

Linux or macOS (cron)

Open a terminal and edit the crontab:
```
 crontab  
-e 
```
Add the following line to run the script every 5 minutes:
```
 */5 * * * * cd /path/to/Sophos-Central-SIEM-Integration && /usr/bin/python3 siem.py 
```
Note: Replace /path/to/Sophos-Central-SIEM-Integration with the actual path to the extracted script directory.
Save and exit the editor.

UDM mapping table

Log Field	UDM Mapping	Logic
`_network_interface_eth0_addr_0`	`principal.ip`	Merged
`_label_container_id`	`principal.labels`	Merged
`_label_container_name`	`principal.labels`	Merged
`_label_image_id`	`principal.labels`	Merged
`_label_image_name`	`principal.labels`	Merged
`_label_kubernetes_namespace`	`principal.labels`	Merged
`_label_kubernetes_pod`	`principal.labels`	Merged
`_label_maintainer`	`principal.labels`	Merged
`_process_labels`	`principal.labels`	Merged
`metadata.network_interface_eth0_hardware_addr`	`principal.mac`	Merged
`_security_result`	`security_result`	Merged
N/A	`metadata.gcp_instance_zone`	Constant: `^.?zones.(?P<_zone>.)`
N/A	`metadata.network_interface_eth0_addr_0`	Constant: `^(?P<_network_interface_eth0_addr_0>.*?)/`

Need more help? Get answers from Community members and Google SecOps professionals.